worker-src
worker-src
worker-src
The worker-src directive specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
Recommended Values
'self'
Allows scripts from the same origin
Allows scripts from the same origin
https://subdomain.domain.com
Allows scripts from a specific external site
Allows scripts from a specific external site
Explore detailed value definitions
Tips & Tricks
If this directive is absent, the user agent will look for the child-src directive (which falls back to the default-src directive)
Don't use unsafe-x values or broad keywords like 'data:' 'blob:' 'http:' 'https:' as it may introduce security vulnerabilities.
Examples
Allows scripts from the same origin and a specific external site
Content-Security-Policy: worker-src 'self' https://example.com;Allowed
<!-- allowed by 'self' --> <script> var worker = new Worker('/js/worker.js'); </script> <!-- allowed by https://example.com --> <script> var sharedWorker = new SharedWorker('https://example.com/shared-worker.js'); </script> <!-- allowed by 'self' --> <script> navigator.serviceWorker.register('/service-worker.js'); </script>Blocked
<!-- blocked as data: URI is not allowed --> <script> var blockedWorker = new Worker("data:application/JavaScript, ..."); </script> <!-- blocked as https://malicious.website.com is not in the allowed sources --> <script> blockedWorker = new SharedWorker("https://malicious.website.com/"); </script> <!-- blocked as https://malicious.website.com is not in the allowed sources --> <script> navigator.serviceWorker.register('https://malicious.website.com/sw.js'); </script>
Frequently Asked Questions
What is the worker-src directive used for?
The worker-src directive controls which sources can be used to load web workers, shared workers, and service workers in your application. It helps prevent unauthorized scripts from being executed in worker contexts, which run in the background separate from the main page execution.
Default Behavior
If worker-src is not specified, the browser falls back to child-src, and if that's not specified, it falls back to script-src, and finally to default-src.
What are common values for worker-src?
Common values include 'self' to allow workers only from your own domain, specific trusted domains for third-party workers, and 'none' to block all workers. For example: worker-src 'self' https://trusted-worker-cdn.example.com
Security Note
Since workers run JavaScript code in the background, it's crucial to only allow trusted sources to prevent potential security risks.
How does worker-src affect Progressive Web Apps (PWAs)?
worker-src is particularly important for PWAs as they often rely on service workers for offline functionality, push notifications, and background syncs. Your worker-src policy must allow service worker files to be loaded from the appropriate locations, typically your own domain.
PWA Best Practice
For most PWAs, setting worker-src to 'self' is sufficient since service workers must be served from the same origin as the page they control.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now